U.S. Law Permits Spying on Foreigners' Cloud Data

Yesterday, Slate reported on a startling study which warns Europeans that U.S. intelligence agencies may have legal access to enormous amounts of their data stored on cloud services. Just one more security risk brought to you by "The Cloud."

Yesterday, Slate reported on a startling study which warns Europeans that U.S. intelligence agencies may have legal access to enormous amounts of their data stored on cloud services. Just one more security risk brought to you by "The Cloud."

The study from the European Parliament's Directorate-General for Internal Policies was completed in October of last year and is titled "Fighting cyber-crime and protecting privacy in the cloud." Its authors sharply rebuke the European parliament for ignoring the legal entanglements created by cloud services. The study pays particular attention to the U.S. Foreign Intelligence Surveillance Amendment (FISA) Act, which was set to expire this year but was extended through 2017 in a vote this past December.

The Cause for ConcernThe study picks out Section 1881a of the FISA act, called "Procedures for Targeting Certain Persons Outside the United States Other Than United States Persons." According to the study, the 2008 addition to FISA, "authorized mass-surveillance of foreigners (outside US territory), but whose data was within range of US jurisdiction."

In short, it is possible that if you live outside the U.S. but are using a service subject to U.S. law–say, Google Drive—that your data could be accessed by U.S. intelligence agencies. "[FISA] 1881a means that any data-at-rest formerly processed 'on premise' within the EU, which becomes migrated into Clouds, becomes liable to mass-surveillance," says the study. "Once data is transferred into a Cloud, sovereignty is surrendered."

Going Further"The scope of surveillance was extended beyond interception of communications," says the study, which Slate clarifies as including communications intercepted while being sent, "to include any data in public cloud computing as well."

It's worth noting that the study only raises the possibility of this kind of enormous spying operation, it does not accuse the U.S. of having engaged in it as yet. In their reporting, Slate notes that it would be an "audacious" undertaking, one surely not taken lightly. Slate also points to FISA supporters who say that the bill contains privacy safeguards.

Data SovereigntyThe study concludes by calling for increased "data sovereignty" and for 50% of public services to be on E.U.-controlled "clouds" by 2020. It also pushes the European Parliament to seek clarification on what protections FISA extends to European citizens and even suggests that individuals be alerted when they move their data onto cloud services which are under U.S., and not E.U., jurisdiction.

The question of data ownership, and conflicting privacy laws between nations, will only become more and more complex as companies and individuals store increasing amounts of their data in spaces which exist outside their country of origin. As is often the case with tricky legal problems, it will probably get a lot more confusing before it gets solved.

Max Eddy is a Software Analyst, taking a critical eye to Android apps and security services. He's also PCMag's foremost authority on weather stations and digital scrapbooking software. When not polishing his tinfoil hat or plumbing the depths of the Dark Web, he can be found working to discern the 100 Best Android Apps.
Prior to PCMag, Max wrote for the International Digital Times, The International Science Times, and The Mary Sue. He has also been known to write for Geek.com. You can follow him on...
More »